Individual Responsibility for
Information Security
Document Type:
Document Owner:
Approved by:
Policy
Information Security Manager
Corporate HR (Oct 01, 2010)
CIO (Oct 01, 2010)
Revision No:
Revision Date:
Information Classification:
2.2
March 04, 2011
INTERNAL
1 Introduction
All of us have an interest in SCA’s success. The success of SCA is to a large degree determined by
information, knowledge and experience. Our market position and jobs are endangered if
competitors obtain information about our research activities, product development and launches
or other business strategies. In addition our position as a sustainable company with a good
reputation on the stock market as well as within the society as a whole will be endangered if we
are not able to uphold a high level of information security. It is of vital importance that these
values are appropriately protected.
The purpose of this policy is to protect SCA’s business and the interests of shareholders,
customers, partners, employees and others.
This document describes the rules and guidelines for protecting information and the use of
computers, networks, information systems and Internet (IT resources) within SCA. The rules
apply to all employees, independent contractors, temporary workers and every other user of
SCA’s information technology resources (Users). The implementation of this policy should
always be in compliance with applicable laws and regulations. SCA HR organization is
responsible for that all concerned users sign this policy.
1.1
Basic Premises
The basic premise, on which this policy is based, are that IT resources of SCA are owned by SCA
and represent work tools used in the service of the company. Moreover, the company should not
incur damages, liabilities or other unnecessary costs due to inappropriate use of these work tools.
1.2
Individual Responsibilities
By following this policy, you will meet SCA expectations and contribute your part in protecting
SCA values.
Non-compliance with this policy may result in disciplinary and/or administrative actions. Serious
violations, as disclosure of confidential information or serious misuse of provided IT resources,
may result in termination of employment and legal actions.
1.3
Private Use of IT Resources
Access to IT resources is provided to Users to enable work efficiency. However, reasonable and
minimal use of IT resources for personal purposes is acceptable provided that the usage does not
interfere with any commitments towards or by SCA and that the usage does not result in
substantial costs for SCA.
Individual Responsibility for InfoSec 101001.doc
- 1/7 -
Individual Responsibility for
Information Security
2 Monitoring
The use of IT resources will be monitored without prior notice or permission whenever
monitoring, in the SCA’s opinion, is justified. Monitoring the individuals’ use of IT resources
shall however always be exercised in the light of the following two general principles.
•
•
Monitoring and use of information obtained during monitoring shall always be in
compliance with applicable laws and regulations.
Monitoring shall not constitute a manifest infringement on an employee’s personal
privacy unless the measures is taken for an authorised purpose and is seen to be an
admissible intrusion into an employee’s personal privacy having regard to the purpose
justifying the measure.
Monitoring may for example occur for the following purposes.
• Monitoring during the normal course of system and network administration.
• Monitoring for the investigation of suspected conduct, performance failings or violation
of this policy.
• Monitoring for the prevention of spreading confidential information.
• Routine monitoring of e-mail traffic flow and examination of e-mail for manual routing
where the message is undeliverable because of an incorrect e-mail address.
• Reviewing of work-related e-mail while the user is unavailable, to ensure that urgent
matters are dealt with.
SCA may be required to disclose electronically stored information to third parties pursuant to
legal proceedings or if required by authorities.
Monitoring for the investigation of suspected conduct takes only place after a written request
from relevant HR Manager. SCA Information Security Manager receives the request and
approves the monitoring. A system administrator will thereafter extract relevant data and send to
requesting HR Manager or his/her representative. Monitoring and review of the result of
monitoring will only be performed by a defined and limited number of individuals. SCA will
avoid, where possible, opening e-mails/documents clearly marked as private and confidential,
unless it is suspected that such material violate this policy.
3 Information Security Instructions
3.1
Be Aware
People are often referred to as the weakest link in an information security program. Through
either intentional or accidental misuse of access, people often leave networks and organisations
exposed. All too often, security programs tend to focus on technical controls rather than the
human factor. Therefore criminals use techniques such as social engineering 1 and phishing 2 to
gain access to systems and networks.
Social engineering is the act of manipulating people with trust to disclose confidential or personal information.
Phishing is a term used to describe a fraudulent attempt to get sensitive information such as passwords or credit
card details by masquerading as a trustworthy person in an e-mail or on Internet.
1
2
Individual Responsibility for InfoSec 101001.doc
- 2/7 -
Individual Responsibility for
Information Security
SCA security level and our success depend on your behaviour and common sense. For example,
when an unknown person is unaccompanied in SCA premises, confront and ask if you can help.
Be also aware that most threats towards an organisation come from the inside.
Make sure visitors to SCA premises do not oversee confidential information on displays,
whiteboards or on paper. Consider this risk when, for example, doing a walk around with a
customer. Demonstrating security awareness behaviour in meetings with customers or other
external parties shows credibility and trustworthiness.
3.2
Information Classification
How information and data is handled has a direct impact on SCA’s business and reputation.
Information classification is a means of classifying and defining how information should be
handled. SCA classifies information as follows:
Class
Public
Description
Information that is generally available to and
known by the public
Handling Principles
Get approval for publication.
Internal
Information that is not generally available to
and known by the public
To be treated as company
property.
Confidential
Internal information that is important to keep
confidential and be treated with care.
Be cautious!
Strictly
Confidential
Internal information that is extremely
important to keep confidential and that should
be treated with the utmost care.
Treat with utmost care.
Information may be Confidential or Strictly Confidential for various reasons. Making certain
information public may in some cases harm the company or any of its many different stakeholders
(employees, shareholders, financiers, business partners and others). It might also be that SCA have
taken on a contractual obligation not to disclose certain information or we might in some cases
even be obliged under law to treat certain information as confidential.
Users are responsible for protecting corporate information in their possession against loss,
falsification and misuse of any kind.
• Confidential and strictly confidential documents and data media must not be left
unattended, and must be locked away when not in use.
• Information kept in a PC (laptops) should always be stored in <My Document>. This
folder is encrypted and backup is taken automatically for this folder when connecting to
SCA network.
• Used or not needed confidential information should be securely disposed. For paper, use
shredder, non-erasable media (e.g. DVDs) to be physical destroyed; all not used IT
equipment should be returned to the IT organization.
See further in “Information Classification Standard”, http://intranet.sca.se/Awareness.
Individual Responsibility for InfoSec 101001.doc
- 3/7 -
Individual Responsibility for
Information Security
3.3
Your Password
Passwords are the front line of protection for user login accounts. A poorly chosen password
may result in unauthorized access to SCA’s entire corporate network.
Never use the same password to SCA systems as is used outside SCA or used privately.
SCA systems must be protected by strong passwords that are:
• at least eight characters in length
• a combination of both lower-case and capital letters as well as digits or other characters
• must be changed every 60 days, at a minimum
• password may not be re-used, a history file of 12 changes are kept
Users have a responsibility for activities and possible misuse originating from his or her accounts.
Therefore it is important that passwords are not disclosed to anyone, whether intentionally or
accidentally. It should not be written down in clear text or stored unencrypted. The password
must be changed immediately if suspected that it has been compromised.
3.4
In the Office
In SCA locations, visitors must always be checked in and obtain a visitor’s badge, identifying
them as approved to be in the building. Visitor badges give the opportunity to address visitors
and customers by name more easily, making them feel more welcome. They also provide added
security in SCA facilities. Therefore it is important that you, as SCA employee, carry badges for
identification.
To reduce the risk of a security breach, fraud and information theft caused by documents being
left unattended in SCA’s premises, a clear desk approach should be followed.
• Lock your computer (Ctrl-Alt-Delete, Enter) or (Start-L) whenever you leave a PC
unattended.
• Laptops left in the office overnight and during weekends must be put away. This will
make it more difficult for a thief to clear out all laptops in one burglary.
• Documents and data media must always be treated in such way that loss, damage,
destruction, confusion and unauthorized access is sufficiently prevented.
• Regularly shut down your computer to allow for patches being installed at start-up.
Examples:
9 Remove or lock away all confidential information after a conference. This includes flipcharts, notes on
whiteboard, and other notes.
9 After copying or printing a confidential document, make sure that nothing is forgotten in the office
machine (copy machine, printer and fax).
9 If a confidential or a strictly confidential document is found left behind, it should be sent to the owner. If
the owner cannot be determined, the found material should be sent to a senior manager.
Individual Responsibility for InfoSec 101001.doc
- 4/7 -
Individual Responsibility for
Information Security
3.5
Outside the Office
SCA Global Network (SGN) and SCA internal systems can be reached from outside SCA
premises through approved VPN 3 services, e.g. (ec)Access.
• The SCA VPN services provide increased protection when accessing Internet from
outside the office and must be used when technically possible.
• Computers and other devices with an installed VPN access to SGN must be properly
locked and protected.
• For laptops, USB devices, phones and other mobile equipment, which are taken outside
SCA premises, if confidential or strictly confidential information is stored on the
equipment; then this information must be strongly encrypted.
• Portable machines and external devices must not be left unattended anywhere in plain
sight, particularly in cars, hotel rooms or in public areas.
• It must be made sure that no unauthorized person can overhear an oral/telephone
conversation held in public, if confidential business information is being discussed.
3.6
•
•
•
Backup
All data should be stored on servers supported by a backup service.
When a user is offline, he/she is responsible for that backup is taken for data on the
client, e.g. a laptop. This is preferably done by an automatically synchronization service or
by manually copying the data to a server (e.g. home directory) where backup is taken.
When a so called “Personal Folder” is used in Outlook to archive e-mails, it is your own
responsibility to make a regular backup of the PST file. Check with your local IT support
how this is done.
3.7
Safe E-mail
Electronic messages must be treated like regular form of formal correspondence, and the content
and language utilised must be consistent with established company policy. Electronic messages
sent by anyone may be easily archived by other parties and made searchable over a long period of
time. Information sent over the Internet including electronic messages, can result in legal action
against SCA. Claims of defamation, breach of confidentiality or contract could arise from any
misuse or careless use of these facilities.
• Be sensitive to the content of your e-mail messages, especially when sent to people whose
culture and laws may be different from yours. Ensure that nothing you write in an e-mail,
or as a contributor to a discussion group could be libel, offensive or damaging to your
reputation, your colleagues or SCA.
• Activities conducted using an SCA e-mail address (i.e. firstname.lastname@sca.com)
reflect directly on SCA’s image and reputation. Users are not permitted to conduct
activities on any such account, which could embarrass or damage SCA’s image or
reputation.
• SCA e-mail address must be used with care and primarily for business purpose.
• Distribution of chain letters is prohibited. Delete chain letters or e-mails of similar nature.
Chain letters and fake virus warnings (hoaxes) will disrupt network traffic.
• Only authorized departments or persons must distribute warning messages.
VPN: Virtual Private Network – is a technique to create secure connections between two points in an insecure
network, e.g. Internet.
3
Individual Responsibility for InfoSec 101001.doc
- 5/7 -
Individual Responsibility for
Information Security
•
•
•
•
•
Be suspicious of e-mail attachments from unexpected sources. Never open them unless
you are sure they are genuine.
Never click on links within e-mails or documents from unexpected sources.
Company information must not reside on servers outside SCA’s control; therefore e.g.
forwarding of business e-mail to public e-mail services (like HOTMAIL) is prohibited.
E-mail messages and attachments classified as “Confidential” or “Strictly Confidential”
must be protected using encryption.
Digital signatures (alone or together with the encryption, if necessary) must be used for
those e-mails for which the integrity of the content or the legal responsibility of the
sender is to be ensured.
3.8
Using Internet
Internet is an excellent source of information for investigations and to make the work more
efficient. On the other hand, the use of Internet brings a number of threats making it important
to be observant and to use it with care.
• Act professionally to protect SCA’s proprietary and confidential information - never post
confidential information on Internet sites.
• Comply with the laws and ethics of the country from which you access the Internet - they
may not be the same as those of the country where you live.
• Remember that the Internet is a public forum, and that you represent SCA whenever you
use a SCA Internet gateway.
• When using social media 4 for corporate use, employees can only represent SCA in the
same role and capacity as in their daily work.
• Do not let other people think that you are publishing content or acting on behalf of SCA
as a company when using social media privately.
• It is strictly prohibited to view, download or handle material which can be considered
offensive or abusive (including but not limited to any material that could be perceived as
sexually explicit or offensive on the grounds of race, sexual orientation, national origin,
gender, disability, religious or political beliefs) on any SCA computer. In addition to being
a breach of this policy, downloading material may lead to criminal prosecution. Any
comments made via e-mail regarding the above areas are similarly prohibited.
3.9
•
•
Business Partners
Business partners must sign a non-disclosure agreement before obtaining access to
company proprietary systems or information.
If stricter rules for information security were contractually agreed upon with business
partners, or if a business partner demands stricter rules, they must be observed.
3.10 Incident Reporting
A security incident or breach (intentional or accidental) can be any event that threatens SCA
systems or information. This includes events such as virus infection, misuse of other’s
password/privilege, loss of data integrity, computer hacking, losing a smart phone, stolen PC
providing network access etc.
Social media: Internet based technology for many to many social interactions based on user generated content, e.g.
Internet forums (Facebook), blogs, wikies.
4
Individual Responsibility for InfoSec 101001.doc
- 6/7 -
Individual Responsibility for
Information Security
•
•
3.11
•
•
•
•
•
•
All incidents regardless of seriousness should be reported. The incidents should normally
be reported to local or regional ServiceDesk. However, incidents of sensitive or
confidential nature should be reported to SCA Information Security Manager. Incident
reports are one of the best sources for understanding needed security level.
Any suggestions of improvements regarding security are most valuable and can be
forwarded through the Service Desk.
Acceptable Use
All connections and other adjustments to computers or other equipment in the
company’s network, without exception, must have prior approval from the IT
department. Restrictions exist in connecting mobile devices to SCA internal networks.
The user is responsible for the security of his or her computer/personal device.
Users may only use SCA business information for the proper business purpose of SCA,
and as instructed by officials, e.g. line managers.
Ensure that you comply with local privacy legislation relating to the storage and
communication of personal information. Be ethical in the way you handle personal
information concerning colleagues and other individuals.
Only authorized and fully licensed software may be installed or used on company systems.
IT management must authorize all software and installation must be under control of
SCA IT organisation.
CDs, DVDs, or USB sticks from unexpected sources should not be used or connected to
SCA equipment.
3.12 Intellectual Property
SCA’s intellectual property rights, confidential information and data as well as the intellectual
property, information and data of its customers and partners, are highly valuable corporate assets.
As such they must be protected from deliberate, unintentional or unauthorized alteration,
copying, destruction and inappropriate disclosure or dissemination and are to be used only in
accordance with established SCA policy, standard and all applicable laws and regulations in
countries or states in which SCA and its affiliates operate.
Intellectual property legislation, i.e. copyright and patent, prohibits duplication and alteration of
material without authorization. It is not permitted to distribute or download or upload pirated
software or any material including but not limited to music/sound, films, audio visual recordings,
texts databases, images, photographs and logos without obtaining the necessary permission from
the owners of such works.
4 Further Help and Information
Your local IT or HR organization can deal with any questions you may have regarding this policy
or the correct use of IT resources. Your manager or supervisor can also, if needed, help you to
interpret the policy.
Some of the topics mentioned in this policy are defined in more detail in other documents and
can be found on the SCA Information Security homepage http://intranet.sca.se/InfoSec.
Individual Responsibility for InfoSec 101001.doc
- 7/7 -
Individual Responsibility for
Information Security
Approval
I have understood and accept the conditions and rules for protecting SCA information and using
SCA IT resources as described in policy Individual Responsibility for Information Security. I
will to the best of my ability act accordingly.
__________________________________
Date
__________________________________
Name
__________________________________
Signature
Individual Responsibility for InfoSec 101001.doc
- Enclosure -